What is the default value of Access-Control-Allow-Origin header?

Question

Is "*" or the server's URI the default value for Access-Control-Allow-Origin header? If the header is not set, does it mean that every origin has access to the resource?

Answer 1

As the name Access-Control-Allow-Origin itself suggests, the Allow-Origin part of the name asks us the tell the origin names which are allowed to request resources. That clearly means the logical virtual-ish (which actually does not exist and illogical to set) default value of the Access-Control-Allow-Origin is the origin itself on which the resource is hosted.

Is "*" or the server's URI the default value for Access-Control-Allow-Origin header

If that was the case, then every organization's server who do not set the header are at a great threat !!

Answer 2

Came across this looking for the headers that work without CORS and found this nice safe list from Mozilla: https://developer.mozilla.org/en-US/docs/Glossary/CORS-safelisted_request_header

A CORS-safelisted request header is one of the following HTTP headers:

Accept,
Accept-Language,
Content-Language,
Content-Type.

Answer 3

There is no default value.

If it isn't set, then it isn't set. If it is set, then it must have an explicit value.

If the header is not set, does it mean that every origin has access to the resource?

No. It means that the Same Origin Policy is enforced as normal. No origins are granted permission.

the server's URI

There is no reason to ever set the Access-Control-Allow-Origin to be the server's own URL. Same Origin requests don't need permission from CORS.